Hi, I am a contractor for England pharmacy company and we are trying to move to FHIR apis for dispensing and prescribing.
Two week ago we tested user-restricted auth flow to mock bearer access token and use it for int api (prescribing api) testing.
But today we found out that the flow is broken on the second step - it throws with an error “redirect_uri parameter is invalid”. Application-restricted flow works fine, but it is not enough, as other than “release nominated prescriptions” actions require user-restricted authentication.
The value that is returned for this request on the first step “https://int.api.service.nhs.uk/mock-jwks/keycloak-client-credentials“ looks like that
{
"cis2": {
"client_id": "pytest-nhsd-apim",
"client_secret": "8af96060-a045-4ccf-9069-aa70cef39a6f",
"redirect_uri": "https://example.org"
},
"nhs-login": {
"client_id": "pytest-nhsd-apim",
"client_secret": "8332c425-d69e-46ef-9241-69998fa81018",
"redirect_uri": "https://example.org"
}
}
But using this “dummy” redirect_uri for the next browser request is this
<p class="instruction">Invalid parameter: redirect_uri</p>
So, the question is: does mock-jws api support this redirct uri value, or there is another list of URIs to use, or we should replace it with our own endpoint even for testing requirements?
For now project settings are:
Thanks in advance!
1 Like
Hi, we are aware of an issue with the default configuration and are investigating. You can also request a “custom” configuration by contacting the API-M via this link
Hi Alexei, can you use https://google.com as the redirect URI.
Hi John, yes it works indeed. Thanks a lot! Need to test it further and see if all the steps work as well.
Well, it passes the first step so I can use “aal3” test user name, and get that code. But after on the step 5 I get an error response 400 Bad request with body:
{
“error”: “invalid_grant”,
“error_description”: “Code not valid”
}
I tried to use both values as https://example.org and https://google.com on this ste, and even tried to register these values as callback url, but it didn’t help.
The second part uses the values you entered into the onboarding platform when configuring the environment
After a few attempt it works fine using https://google.com as redirect_uri param in all the places in requests. So I am able to get berear acces token and download prescriptions with it.
Thanks for you time!
Not a problem. Unfortunately a different team manage the mock service and we are tying to ensure the documentation is up to date.
1 Like
Hi @Shariq_Ayaz, did setting the redirect as google.com not work for you?
Thank you for your response.
I did try using redirect_uri=https://google.com, and that works fine for completing the OIDC login step; I can get a valid code and then exchange it for an id_token.
The issue comes later when I try to use that id_token in the token exchange with NHS API Platform. Because the mock-jwks/keycloak-client-credentials endpoint always returns the generic client_id pytest-nhsd-apim, the id_token has: “aud”: “pytest-nhsd-apim”
But my app’s actual client_id is: f5462fa6-50d2-40c3-ac80-053dae5da2c5
So when I call the /oauth2/token exchange, API Platform rejects it with:
“error”: “invalid_request”,
“error_description”: “Missing or non-matching ‘iss’ claim in subject_token JWT”
Which is where i was expecting access_token so I can query as health worker to patient lookup on pds endpoints.
